Hello, I'm trying to setup a filter to drop specific events that contain an event name from AWS. I've read through the splunk docs and the process seems straight forward:
On the HF where I am getting my input for AWS logs I've made the updates to the props.conf and transforms.conf file like so:
props.conf
[aws]
TRANSFORMS-set_null = to_null
transforms.conf
[to_null]
REGEX = eventname
DEST_KEY = queue
FORMAT = nullQueue
I did not list my regex in this example as I don't feel this is the issue (I've verified the expression works outside of splunk against the raw events).
Is there something else I am missing here? As a pre-caution ive also added the above files to my indexers, but am still seeing the events in question.
↧